Identity Repository Framework
An identity repository is a data store where information about users and groups in a company or organization is stored. The Access Manager Identity Repository Framework and related APIs are a model by which plug-ins can be written that allow communication with different types of identity repositories. Following is an illustration of the Identity Repository Framework and how it is integrated within the other features of Access Manager.
Note –
The information in an identity repository is maintained by provisioning products separate from Access Manager. The supported provisioning product is Sun Java System Identity Manager. See Sun Java System Identity Manager for more information.
The Identity Repository Framework is configured as a service within an Access Manager realm. Multiple identity repository plug-ins can be configured for each realm. Each plug-in configuration includes details about what operations are supported on each of the identity types based on the underlying data store. Once an Access Manager realm is configured to use a plug-in, the Identity Repository Framework will instantiate it and execute operations on the identity repository it supports. This model allows the following:
-
Data store independence enables you to view and retrieve user information without making changes to your existing user database.
-
Universal identities allow you to access the many profiles of one identity across multiple data repositories, if necessary.
-
Caching helps to improve repository read performance.
When deploying Access Manager, you must choose one or more of the supported plug-ins based on the data store. You can configure the Identity Repository Service per realm to use its own list of identity repositories to store service configurations for both users and roles. The Access Manager framework integrates data from the identity repository plug-in with data from other Access Manager plug-ins to form a virtual identity for each user. Access Manager can then use this identity in authentication and authorization processes among more than one identity repositories. The virtual user identity is destroyed when the user’s session ends.
Each new plug-in developed must have a corresponding service management schema defining its configuration attributes. This schema is enveloped into the service management file for the Identity Repository Service (named idRepoService.xml) as a sub schema. Currently, Access Manager provides out-of-the-box plug-in support for the following types of identity repositories:
-
Access Manager Repository Plug-in (Sun Java System Directory Server)
-
Generic Lightweight Directory Access Protocol (LDAP) version 3
Access Manager Repository Plug-in (Sun Java System Directory Server)
The Access Manager Repository can reside only in Sun Java System Directory Server. During installation, the repository itself is created in the same instance of Sun Java System Directory Server that holds the Access Manager information tree. (This is the default installation mode when using the Sun Java Enterprise System installer.) The two information trees are configured in separate nodes under a single directory suffix. The Access Manager Repository Plug-in is designed to work with Sun Java System Directory Server as it makes use of features specific to the server including roles and class of service. It uses a DIT structure similar to that of previous versions of Access Manager.
Note –
Previously, the functionality of this plug-in was provided by the AMSDK component. In Access Manager 7.1, the AMSDK functionality still exists, but as a plug-in only. (See AM SDK Plug-in.) Thus, the Access Manager Repository is compatible with previous versions of Access Manager.
When you configure an instance of Access Manager in realm mode for the first time, the following occurs:
-
An Access Manager Repository is created under the top-level realm.
-
The Access Manager Repository is populated with internal Access Manager users.
Note –
The Java Enterprise System installer does not set up an Access Manager Repository when you configure an Access Manager instance in legacy mode. Legacy mode requires an identity repository that is mixed with the Access Manager information tree under a single directory suffix.
Active Directory
This data store type uses the LDAP version 3 specification to write identity data to an instance of Microsoft® Active Directory®.
Generic Lightweight Directory Access Protocol (LDAP) version 3
Generic LDAPv3 identity repositories may reside on an instance of any directory that complies with the LDAPv3 specifications. The directory can not make use of features that are not part of the LDAP version 3 specification, and no specific DIT structure can be assumed as LDAPv3 identity repositories are simply DIT branches that contain user and group entries. The identity repositories might or might not reside in the same instance of Sun Java System Directory Server as the Access Manager information tree. Each data store has a name that is unique among a realm's data store names, but not necessarily unique across all realms in the Access Manager information tree. The com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo class provides the default LDAPv3 identity repository implementation.
Note –
This configuration is not compatible with previous versions of Access Manager.
Flat Files Repository
This repository allows you to store data and identities in a flat DIT structure on the local installation of Access Manager without having to create a separate data store. This is generally used for testing or proof of concept deployments.
Note –
If deploying an instance of Access Manager from a single WAR file, the default identity repository is a flat file.
Sun Directory Server With Access Manager Schema
This repository resides in an instance of Sun Java System Directory Server and holds the Access Manager information tree. It differs from the Access Manager Repository Plug-in in that more configuration attributes allow for better customization.
- © 2010, Oracle Corporation and/or its affiliates